#VU11229 XXE attack in Libxml2 - CVE-2017-7375

Cybersecurity Help s.r.o.

Published: 2018-03-22

Vulnerability identifier: #VU11229

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-7375

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libxml2
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description
The vulnerability allows a remote unauthenticated attacker to perform XXE attack on the target system.

The weakness exists in the xmlParsePEReference function due to insufficient validation for external entities. A remote attacker can perform XXE attack and gain access to potentially sensitive information.

Mitigation
Update to version 2.9.5 or later.

Vulnerable software versions

Libxml2: 2.5.1 - 2.9.4-16-g0741801

External links
https://git.gnome.org/browse/libxml2/commit/?id=90ccb58242866b0ba3edbef8fe44214a101c2b3e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM App Connect Enterprise Certified Container

Gentoo update for libxml2

Information disclosure in libxml2